Need help in creating Certification Campaign using REST API

Hi,

I am trying to develop API Call to generate Manager certificate in IDN. According to the API, I need to specify the Campaign Filter.

Can we get the Campaign Filter ID?
How to get the list of Campaign Filter , Is there any API call ?
Can we specify filter criteria directly without Campaign Filter ID?
Did any one tried using the Create Campaign API?

{
  "name": "Manager Review",
  "description": "A review of everyone's access by their manager.",
  "deadline": "2020-12-25T06:00:00.468Z",
  "type": "MANAGER",
  "emailNotificationEnabled": false,
  "autoRevokeAllowed": false,
  "recommendationsEnabled": false,
  "filter": {
    "type": "CAMPAIGN_FILTER",
    "id": "e0adaae69852e8fe8b8a3d48e5ce757c"
  }
}

Appreciate any Inputs!

Thank you!
Sailaja P

1 Like

Hello @sailajaprathi,

According to the API docs for /beta/campaigns, only three fields are required: name, description, type. All of the other fields are optional. So at a bare minimum, you can send the following request body:

{
    "name": "Manager Review",
    "description": "A review of everyone’s access by their manager.",
    "type": "MANAGER"
}

There currently isn’t a public API to list or create campaign filters. In order to get a campaign filter ID, you will need to login to your IDN tenant and go to the campaign filters UI. Select the campaign filter you want to use and you can get the GUID from the URL. For example: https://{tenant}.identitynow.com/ui/admin#admin:cert:filters:fc95eb8c1ec021eef804abcf23590c09. You can take that GUID and use it in your request body.

{
    "name": "Manager Review",
    "description": "A review of everyone’s access by their manager.",
    "type": "MANAGER",
    "filter": {
        "id": "fc95eb8c1ec021eef804abcf23590c09",
        "type": "CAMPAIGN_FILTER"
    }
}

You must create a Campaign Filter in the IdentityNow Admin UI before you can use it. You can’t specify the filter rules directly via the API at this time.

Hi colin.mckibben,

Thank you for the details, We are trying to use this API call for Certification generation based on the Identity Attribute Change event. I was referring to
AWS Event Bridge and SailPoint Event Triggers post. But observed that Version1 API calls were used for creating campaign. Can we use the Version1 API calls? What is the recommendation here?

Thank you!
Sailaja

1 Like

You can use the version 1 API calls, but they are considered private and don’t have full support. They aren’t well documented and can change at any time. I recommend using our v3 and beta APIs (in that order) before resorting to the private APIs, as they have much better documentation and are supported for the long term. We are working on adding more functionality to beta and v3 all the time, but if you have a specific request for what you would like to see in our production APIs, please don’t hesitate to reach out and let us know.

Hi Colin,

Thank you for your quick response. I completely agree with you. So, I am trying to use below beta Version API call:

{
    "name": "Test Manager Certification Review through API",
    "description": "Test Manager Certification Review through API",
    "deadline": "2021-06-07T00:00Z",
    "type": "SEARCH",
	"searchCampaignInfo": {
            "type": "IDENTITY",
            "description": null,
            "reviewerId": "xxxx",
            "query": null,
            "identityIds": ["xxxx"],
            "accessConstraints": [ ]
        },
    "emailNotificationEnabled": false,
    "autoRevokeAllowed": false,
    "recommendationsEnabled": false   
}

But It is auto completing. I am trying to create a Manager Certification for a particular Identity ID with all access information presented for review.
Is it possible ?

Thank you!

1 Like

The most likely reason your campaign is automatically completing is because the identity you selected doesn’t have any entitlements that need to be reviewed. I created a test in my tenant to reproduce this, and here is what I found.

I have an identity called “Sheena Martin”. She has an account in an authoritative source, but no other entitlements. When I create a campaign using the following body, the campaign autocompletes because there is nothing to review.

{
    "name": "Test 1",
    "description": "A test",
    "type": "SEARCH",
    "searchCampaignInfo": {
        "type": "IDENTITY",
        "reviewerId": "2c9180867624cbd7017642d8c8c81f67",
        "identityIds": ["2c918085771b670d01771c567e650913"]
    }
}

I then created an access profile on another source in my system. Sheena met the access profile criteria and was added to the source. I then created another campaign with the same request body and this time the campaign became active and is awaiting my approval.

Try generating a campaign with your request body, but include a mix of identities that have various access profiles and entitlements.

1 Like

Hi Colin,

Thank you for the check, I have two users with similar ID picked wrong ID earlier. I am able to generate the Certification now. Can I generate Manager Certification using searchCampaignInfo / Can we generate Manager Certification for specific identitiy ID’s?

–Sailaja

1 Like

You can’t use the searchCampaignInfo object if you select the MANAGER campaign type. You will get a 400 Bad Request. I think the easiest way to generate a manager certification with specific identities is to use the searchCampaignInfo object and make the reviewerId your manager and the identityIds array the list of specific reports for the manager. For example:

{
    "name": "Manager Campaign",
    "description": "Campaign for manager with a subset of identities",
    "type": "SEARCH",
    "searchCampaignInfo": {
        "type": "IDENTITY",
        "reviewerId": "2c9180867624cbd7017642d8c8c81f67", // The manager
        "identityIds": ["2c918085771b670d01771c567e650913"] // One or more specific identities that report to the manager
    }
}

HI Colin,

Thank you for the information.

-Sailaja

One thing to note, make sure you provide a deadline in your “create” post if you intend to immediately activate it with script in a subsequent call.

2 Likes